The <security-constraint> item in web.xml implements role-based security restrictions for your web application.
It's <http-method> attribute lets you to specify POST, GET and so on, to restrict what kind of action is taken.

However, there's a big problem with this technique: browsers typically implement onlyPOST and GET; they typically don't implement PUT and DELETE.
This means that <http-method> is not very useful, in practice, for
implementing fine-grained security constraints.

(It's important to note that the role-based security restrictions defined by the servlet specification do nothing for restrictions based on ownership of data, such as seen in many public web sites.
Such restrictions prevent one user from editing items created by some other user, for example.)

There is an alternative to using <http-method>: use the extension appearing in the URL.
In this case, URLs take the form:

.../Account.list

.../Account.add

.../Account.delete

.../Account.fetch?Id=45

When thinking of security, it's natural to think in terms of nouns and verbs:

what is being operated on - the noun

what exactly is being done to it - the verb

In the above example, Account is the noun, while the extension (.list, .add, and so on) is the verb.
With this style, any degree of granularity for security constraints can be implemented.
One can mix and match the nouns and the verbs independently of each other, in a natural way.